Contents x
    Data Encryption and Passphrases
      • Print
      • Dark
        Light
      Contents

      Data Encryption and Passphrases

        • Print
        • Dark
          Light
        Article summary

        This article provides a concise, technically accurate explanation of Backblaze’s encryption system, clarifies terminology, and explains what protections exist depending on whether you use the default encryption model or also supply a passphrase.

        Backup Data Encryption

        Before your backed-up data leaves your computer, the Backblaze Backup Client encrypts it with a strong, industry-standard “backup key” generated specifically for your backup. No one, including Backblaze, can read your backed-up data without the corresponding backup key.

        In the default configuration:

        • Backblaze securely stores and manages your backup key in its data centers.

        • You can restore your backed-up data without providing an additional key.

        Passphrase

        You can add an extra layer of security to your backed-up data by setting a passphrase, which you supply and which Backblaze never stores.

        When you use a passphrase:

        • Backblaze still stores your backup key, but it encrypts that key with your passphrase before storing it in the data center.

        • Backblaze never stores your passphrase.

        • Without your passphrase, Backblaze cannot decrypt your backup key and therefore cannot read or restore your data.

        • Backblaze uses your passphrase only when you provide it, such as when restoring data or when changing or removing the passphrase.

        • After Backblaze uses your passphrase, Backblaze immediately discards it. As a result, if you forget your passphrase, Backblaze cannot restore your data or change or remove the passphrase.

        Example

        A simplified way to understand the two modes:

        • Default mode: You store your items in a secure locker. The facility manages the key that opens the locker.

        • PEK mode: You store your items in a locker, but you keep the only key in a personal safe protected by a combination lock that you control. The facility never has that combination, and if you lose it, no one, including you, can open the locker.

        This mirrors the distinction between Backblaze-managed encryption and passphrase-based encryption.

        Was this article helpful?
        Related articles
        What's Next